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Abstract: ConfidentiaHty, integrity and authentication are more relevant issues in Ad hoc 
networks than in wired fixed networks. One way to address these issues is the use of sym- 
metric key cryptography, relying on a secret key shared by all members of the network. 
But estabHshing and maintaining such a key (also called the session key) is a non-trivial 
problem. We show that Group Key Agreement (GKA) protocols are suitable for establish- 
ing and maintaining such a session key in these dynamic networks. We take an existing 
GKA protocol, which is robust to connectivity losses and discuss all the issues for the good 
functioning of this protocol in Ad hoc networks. We give implementation details and net- 
work parameters, which significantly reduce the computational burden of using public key 
cryptography in such networks. 
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Unite de recherche INRIA Rocquencourt 
Domaine de Voluceau, Rocquencourt, BP 105, 78153 Le Chesnay Cedex (France) 
Telephone : +33 1 39 63 55 1 1 — Telecopie : +33 1 39 63 53 30 



AGDH (Asymetric Group DifRe Hellman), un protocole 
de mise en accord de cle efRcace pour les reseaux Ad Hoc 

Resume : Les problemes de confidentialite, d'integrite et d'authentification sont de plus 
en plus prevalents dans les reseaux Ad Hoc, mais aussi dans les reseaux fixes filaires. Une 
approche a ces problemes est d'utiliser la cryptographie symetrique (ou a cle secrete), re- 
posant sur une cle partagee par tous les membres du reseau. Mais etblir et maintenir une 
telle cle, dite de session, est un probleme non trivial. Nous montrons que les protocoles 
de mise en accord de cle de groupe (GKAs : Group Key Agreement protocols) sont bien 
adaptes pour etablir et maintenir de telles cles de session dans les reseaux dynamiques. Nous 
considerons un protocole deja etabli, qui est robuste aux pertes de onnectivite, et nous envi- 
sageons tous les problemes relatifs au bon fonctionnement de ce protocole dans les reseaux 
Ad Hoc. Nous donnons des details d'implementation, des parametres reseaux, ce qui permet 
de reduire considerablement la charge calculatoire liee a I'emploi de la cle publique dans de 
tels reseaux. 

Mots-cles : Reseaux Ad Hoc, protocoles cryptographiques, Diffie-Hellmann protocol 
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1 Introduction 

A Mobile Ad hoc NETwork (MANET) is a collection of mobile nodes connected via a wireless 
medium forming an arbitrary topology. Implicit herein is the ability for the network topology 
to change over time as Hnks in the network appear and disappear. To maintain the network 
connectivity, a routing protocol must be used. An important security issue is that of the 
integrity of the network itself. Quite a lot of studies have been already do n e to resol ve 
security issues in existing routing protocols (see |HP J02j . |PMdS03| . [AC J+03b| . [ACL+ 05| ) . 



An orthogonal security issue is that of maintaining confidentiality and integrity of data 
exchanged between nodes in the network. The task of ensuring end-to-end security of data 
communications in MANETs is equivalent to that of securing end-to-end security in tra- 
ditional wired networks. Many studies have been carried out to solve this problem. One 
widespread solution is to create a virtual private network (VPN) in a tunnel between the 
two communicating nodes. IPSec is a well known security architecture which allows such 
VPNs to be built between two communicating nodes. However this solution requires a dif- 
ferent secret key for each end-to-end connection. Moreover the VPN solution can simply 
handle unicast trafHc. An alternative solution is the use of a shared secret key. There are 
many issues with such an approach. First this key must be distributed among the network 
nodes. Second, to avoid the compromising of this key it is required to renew the key often. 
A solution to these two issues is the use a Group Key Agreement protocol, which relies on 
the principles of the pubHc key cryptography. 

A Group Key Agreement protocol (GKA) is a key establishment technique in which a 
shared secret is derived by more than two participants as a function of information publicly 
contributed by each of them. They are especially well suited to moderate sized groups with 
no central authority to distribute keys. An authenticated group key agreement protocol 
provides the property of key authentication (also called implicit key authentication) , whereby 
each participant is assured that no other party besides the participants can gain access to the 
computed key. GKA protocols are different from group key distribution (or key transport) 
protocols wherein one participant chooses the group key and communicates it to all others. 
GKA protocols help in deriving keys which are composed of each one's contribution. This 
ensures that the resulting key is fresh (for a given session) and is not favorable to one 
participant in any way. The following security goals can be identified for any GKA protocol. 

1) Key Secrecy: The key can be computed only by the participants. 

2) Key Independence: Knowledge of any set of group keys does not lead to the knowl- 
edge of any other group key not in this set (see |BM03j ). 

3) Forward Secrecy: Knowledge of some long term secret does not lead to the knowl- 
edge of past group keys. 

An important advantage of a group key agreement protocol over a simple group key 
distribution scheme is the forward secrecy. This property can be particularly interesting 
in situations where some nodes are likely to be compromised (e.g. in military scenarios). 
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In such scenarios, using a GKA, the knowledge of the long term secret of this node does 
not compromise all past session keys. From a functional point of view, it is desirable to 
have procedures to handle the dynamism in the network. These procedures enable efficient 
merging or partitioning of two groups in the network. 

2 Related Work 

Key establishment protocols for networks can be broadly classified into three classes: Key 
transport using symmetric cryptography, Key transport using asymmetric cryptography and 
Key agreement using asymmetric cryptography. In key transport protocols, one participant 
chooses the group key and securely transfers it to other participants using a priori shared 
secrets (symmetric or asymmetric) . These protocols are not suitable for ad hoc networks for 
two reasons; firstly, they require a single trusted authority to distribute keys and secondly, 
compromise of the a priori secret of any participant breaches the security of all past group 
keys, thus failing to provide forward secrecy. Thus GKA protocols are more relevant since 
they provide this forward secrecy property. 

Most group key agreement protocols are derived from the two-party Diffie-Hellman key 
exchange protocol. GKA protocols, not based on Diffie-Hellman, are few and include the 
protocols of Pieprzyk and Li [PLO Oj, Tze ng and Tzeng |TTOO| and Bo yd and Nieto |BN03| . 
Both protocols of Pieprzyk and Li |PL00j and Boyd and Nieto |BN03) fail to provide forward 
secrecy while the protocol of Tzeng and Tzeng |TTOO) is quite resource-intensive and prone 
to certain attacks |BN03j . Forward Secrecy is a very desirable property for key establish- 
ment protocols in ad hoc networks, as some nodes can be easily compromised due to low 
physical security of nodes. Thus it is essential that compromise of one single node does not 
compromise all past session keys. We summarize and compare in Table [1] existing GKA 
protocols based on Diffie-Hellman protocols. We compare essentially the unauthenticated 
versions of the protocols, as most achieve authentication by using digital signatures in a very 
similar manner and thus have similar added costs for achieving authentication. We compare 
the efficiency of these protocols based on the following parameters: 

• Number of synchronous rounds: In a single synchronous round, multiple inde- 
pendent messages can be sent in the network. The total time required to run a round- 
efficient GKA protocol can be much less than other GKA protocols that have the same 
number of total messages but more rounds. This is because the nodes spend less time 
waiting for other messages before sending their own. 

• Number of messages: This is the total number of messages (unicast or broadcast) 
exchanged in the network to derive the group key. For multiple hop ad hoc networks, 
the distinction between unicast and broadcast messages is important as the latter can 
be much more energy consuming (for the whole network) than the former. 

• Number of exponentiations: All Diffie-Hellman based GKA protocols require a 
number of modular exponentiations to be performed by each participant. Relative 
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Table 1: Comparison of non constant rounds GKA protocols 
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f: 7TT, exponentiations for the base station. 

|: 771 + 1 exponentiations and m-1 inverse calculations for the parent node. 
*: Up to 2777 exponentiations for the sponsor node. 
**: 777 exponentiations for the leader. 



Table 2: Comparison of constant round GKA protocols 



to all cryptographic operations, a modular operation is the most computationally 
intensive operation and thus gives a good indication of the computational cost for 
each node. 

Communication costs still remain the critical factor for choosing energy-efficient protocols 
for most ad hoc networks. A modular exponentiation (which is most efficiently done using 
elliptic curve cryptography) can be performed in a few tens of milliseconds on most palmtops, 
whereas message propagation in multi-hop ad hoc networks can be easily of the order of few 
seconds and has energy implications for multiple nodes in the network. As can be seen 
in Table [TJ most existing GKA protocols require 0(777) rounds of communication for 777 
participants in the protocol. Such protocols do not scale well in ad hoc networks. Even 
tree-based GKA protocols with 0(log77i) rounds can be quite demanding for medium to 
large sized ad hoc networks. Therefore constant-round protocols are better suited for ad 
hoc networks. 
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Among the constant round protocols (see Table [21), Octopus |BW98j . BDB |KY03| and 
KLL |KSML04] require special ordering of the participants. This results in messages sent 
by some participant being dependent on that of others. In such a case, failure of a single 
node can often halt the protocol. Thus such protocols are not robust enough to adapt 
well to the dynamism of ad hoc networks. The BCEP protocol |BCEP03j involves a base 
station, and fails to provide forward secrecy if the long-term secret of the base station is 
revealed. The Bresson and Catalano protocol |BC04) is computationally demanding with 
0{m) exponentiations for each participant. Another drawback is that if any participant's 
message is lost in first round, the whole protocol is brought to a halt, as the secret sharing 
schemes implies all m contributions are required to compute the key. Thus only the protocols 
NKYW and STR (described below in details) seem to be usable in MANETs. 

NK YW |NLK W04] : The original paper proposes this protocol for ad hoc networks com- 
posed of devices with unequal computational powers. In the first round, each participant 
Mi unicasts its contribution g^',i £ [l,n — 1] to a fixed node M„, called the parent node. 
The parent node chooses random r and r„ and computes w = , Xn = g^^" and Xi = {g^^Y 
for each received g^\ It broadcasts w and {xn * ^j^iXj}i. The key is derived from liiXi. 
The protocol remains a bit expensive computationally compared to the protocol that will 
be described in this paper. 

STR [SSDW88[ IKPT04) : This protocol was proposed by Steer et al. in |SSDW88j fo r 
static groups. Perrig et al. proposed procedures to handle group changes in |KPT04j . 
Although this protocol has not been cited as a constant round protocol till now, we explain 
here in details why this protocol is indeed a constant round protocol. In the first round, 
each participant Mi broadcasts its contribution g^^ (also known as its blinded key). In the 
second round, a key-tree as shown in Figure [T] where each leaf node represents a participant is 
constructed using participant IDs or the value of the contributions. The node in the bottom- 
most, left-most position in the tree is called the sponsor. The sponsor node broadcasts the 
set of blinded keys for all the intermediate nodes upto the root node. For the case shown 
in Figure [1] the broadcast message is {g"^^ ,g'^'^ ,g^^ , g^'^ , g^ ,5^ }• The group key is 

K= g^i-s"^^" . Participant Mi has to perform m ~ i exponentiations except the sponsor 
which has to compute 2m exponentiations. The protocol lacks a proof of security against 
active adversaries. 

Thus both these protocols are computationally more expensive compared to the protocol 
that will be described in this paper. 

The contributions of this paper are the following: 

• an authenticated dynamic group key agreement protocol is recalled |ABIS05j . 

• the mechanisms that must be used in a MANET to implement this group key agree- 
ment protocol are described, 

• a precise study of the cryptographic parameters that this group key agreement protocol 
must use in the context of an ad hoc network is carried out. 
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Figure 1: The STR Protocol 



Finally the adapted version of the group key agreement protocol that we propose, we 
call this protocol AGDH for Asymetric Group DifRe Hellman, is among the very few group 
key agreement protocols suitable for ad hoc networks. 

The paper is organized as follows: 

• Section [3] recalls the group key agreement protocol. We describe the basic functioning 
of the protocol only, 

• Section [H explains how this group key agreement protocol can be implemented in an 
ad hoc network. The main issues discussed in this section include the election of a 
leader in the ad hoc network and the actions that must be undertaken to handle splits 
and mergers in the ad hoc network, 

• Section [5] discusses the overhead of cryptographic operations. 

3 Presentation of AGDH 

We recall an existing group key agreement protocol in this section. We first illustrate the 
basic principle of key exchange, followed by a detailed explanation of how it is employed 
to derive Initial Key Agreement, Join/Merge and Delete/Partition procedures to handle 
dynamism in ad hoc groups. 
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3.1 Notation 

G: A subgroup (of prime order q with generator g) of some group. 
Uf. i*^ participant amongst the n participants in the current session. 
Uf. The current group leader (Z S {1, . . . , n}). 

Ti: A random number (from [l,^ — 1]) generated by participant Ui. Also called the secret 
for Ui. 

g^^: The blinded secret for Ui. 

g^i^i- The blinded response for Ui from Ui. 

M.: The set of indices of participants (from V) in the current session. 
i7: The set of indices of the joining participants. 
V: The set of indices of the leaving participants. 
X <— y: X is assigned y. 

X S: X is randomly drawn from the uniform distribution S. 
Ui — > Uj : {M}: Ui sends message M to participant Uj. 

Ui M : {M}: Ui broadcasts message M to all participants indexed by M. 
Ni'. Random nonce generated by participant Ui. 

VpKi{msgi,ai}: Signature verification algorithm which returns 1 if ai is a valid signature 
on message msgi else 0. 

3.2 A Three Round Protocol 
3.2.1 The formal description 

Please note that in the following rounds each message is digitally signed by the sender {af 
is signature on message msg-l in Tables [S]- [5]) and is verified (along with the nonces) by 
the receiver before following the protocol. Thus we omit to describe these steps which are 
formally shown in Tables [S]- [H 
Protocol Steps: 

Round 1: The chosen group leader, Mi makes a initial request (INIT) with his identity, 
Ui and a random nonce Ni to the group M. 

Round 2: Each interested A/,; responds to the INIT request, with a IREPLY message 
which contains his identity Ui, a nonce Ni and a blinded secret g^^ to Mi (see Table [3] for 
exact message contents). 

Round 3: Mi collects all the received blinded secrets, raises each of them to its secret 
{ri) and broadcasts them along with the original contributions to the group, i.e. it sends an 
IGROUP message that contains {[/,, TVi, g'-, g'-'^' } for M\ {/}. 

Key Calculation: Each Mi checks if its contribution is included correctly and obtains 
g^^ by computing (g^^'^'Y^ . The group key is 

Key = g^' * U,eM\{i}9'''''' = /'d+E.^^xto 

Note: 
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Round 1 

I ^M,Ni^ {0,1}'' 

Ui M ■ {msgf = { INIT ,Ui,Ni},al} 
Round 2 

V^ e X \ {I}, if{VpK,{msgl,ai} 1), n A [1, g - 1], iV, A {0, l}^ 
Ur-^Ui -. {msg, = { IREPLY, Ui,Ni, U,, N,, g^^}, 
Round 3 

ri<^[l,q-l], 

e M \ {1} , if {VpRiimsgi, ai} 1) and Ni is as contributed 
Ui^M: {msgf = { IGROUP, Ui,Ni, {U,, N,, g^^^g^'^^ }^eM\{l}}, <^f} 
Key Computation 

if{VpKi{''nsgf,af} ~= 1) and g*"* and Ni are as contributed 

Table 3: IKA 



1) The original contributions are included in the last message as they are required 
for key calculation in case of group modifications (see below), and also, because it may be 
possible that a particular contribution has not been received by some member. 

2) Even though ^i(^M\{i}9^^^^ is publicly known, it is included in key computation, to 
derive a key composed of everyone's contribution. This ensures that the key can not be 
pre-determined and is unique to this session. 

3) Even though the current group leader chooses his contribution after others, he cannot 
pre-determine the group key. 

The protocol is formally defined in Table [31 Table H] (respectively Table [5]) show how the 
protocol is run when a group wants to join (respectively leave) an existing group 

3.2.2 Example runs of the protocol 

We now see how this protocol can be used to derive Initial Key Agreement (IKA) , Join /Merge 
and Delete/Partition procedures for ad hoc networks. 

Initial Key Agreement Secure ad hoc group formation procedures typically involve peer 
discovery and connectivity checks before a group key is derived. Thus, an INIT request 
is issued by a participant and all interested peers respond. The responses are collected 
and connectivity checks are carried out to ensure that all participants can listen/broadcast 
to the group (see for instance [RHHOlj ). After the group membership is defined, GKA 
procedures are implemented to derive a group key. Such an approach is quite a drain on 
the limited resources of ad hoc network devices. Thus an approach which integrates the two 
separate procedures of group formation and group key agreement is required. The above 
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Round 1 

Vie^,r, A[l,g-l],Ar, A{0,1}^ 

M ■ {msg, = { JOIN, f/„ iV„ 5''-}, aj 
Round 2 

V^ e J, ^J{VpKA'msg^, a,} I) n ^ [l,q - ^ M\J J 
Ui Uy ■■ {msgi = { JREPLY, {U,, N,, g'-^j^.^Muj}, ^i} 
Round 3 

ifiVpKAmsgi,m} l),l^l',ri <^ [1, q ^ 1], M ^ M U J 
Ui^M: {msgf ^ { JGROUP, UuNi, {U,, N,,g'-' , g^'^'' },eM\{i}}, <yf} 
Key Computation 

if{VpKi{'>'nsgf,af} 1) and g"^^ and Ni are as contributed 

Table 4: Join/Merge 



protocol fits well with this approach. Round 1 and Round 2 of the above protocol can be 
incorporated into the group formation procedures. In this way, blinded secrets, g^^ 's, of all 
potential members, Ui's, are collected before the group composition is defined. When the 
fully connected ad hoc group is defined, a single broadcast message (Round 3 in Table [3]) 
from the group leader, Ui, (using contributions of only the joining participants) helps every 
participant to compute the group key. An example is provided below. 

Suppose Ui initiates the group discovery and initially 5 participants express interest and 
send g^'^, g^^, <?''■*, g''^ and g^*^ respectively along with their identities and nonces. Finally 
only 3 join because of the full-connectivity constraint. Suppose the participants who finally 
join are U2, U4 and C/5. Then the group leader, Ui, broadcasts the following message: {g^^, 
g^-^ , g^'^ , {g^^Y^ , {g'^'^Y^, {g^'^Y^}- On receiving this message, each participant can derive 
g^^ using his respective secret. Thus the key g^^i'^+^^+'^-i+^i') can be computed. 

Join/Merge Suppose new participants, Ug and Uio join the group of Ui, U2, U4 and 
U5 with their contributions g^^ and g^^" respectively. Then the previous group leader (Ui) 

changes its secret to and sends g^^ , g^^ , g'^'^ , g^^ , g^^ , g^^° to Uiq (say the new group leader) . 

UiQ generates a new secret r^Q and broadcasts the following message to the group: {g^^, g^^, 

f\ f', g'''"'"''', S''^"''", g'''"'''-', g"'''""'", S'''^"'''}- And the new key is gr'ioii+^'i+r2+ri+r,+ro) _ 

Delete/Partition When participants leave the group, they send a DEL message, the 
group leader changes his secret contribution and sends an IKA Round 3 Hke message to the 
group, omitting the leaving participants' contributions. Refer to Tableland below for an 
example. 
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Round 1 

\/i e P, U, : {msg, = { DEL, C/,, TVJ, 

Round 2 

VzGP,i/(VpK.{ms5„(7,}==l),ri <^ [l,q - 1], M ^ M\V 
Ui^M: {msgi ^ { DGROUP, Ui,Ni, 7V„ g"-- , g''''' }, a;} 
Key Computation 

if{VpKi{'msgi,ai} == 1) and g'^' and iV; are as contribute d 
Key = 

Table 5: Delete/Partition 



Suppose a participant, U2, leaves the group of C/i, U2, U4, U5, Ug and Uio- Then the 
leader, Uio changes its secret to r^Q and broadcasts {g"^^, g^'^, g"^^ , g^'-' , {g'^^Y^", {g^'^Y^°, 
ig^'^y"", (5''')''"°} to the group. And the new key is g^ioi^+'-'i+'--i+^^^+^3) . 

4 Using this GKA protocol within an ad hoc network 

In the following we are considering a multi-hop ad hoc network. We are not assuming any 
particular property of the routing protocol which ensures the connectivity of the network. 
We can use reactive protocols as AODV or DSR [PBRD03. JMH04] where the connectivity is 
created on demand when a route is needed. We can also use proactive protocols as OLSR or 
TBRPF [ACJ+03a|[OTL04| where synchronous packets are used to maintain the knowledge 



of the topology. We will assume that we have a broadcast mechanism to flood messages 
within the ad hoc network. We are not assuming that this flooding mechanism is reliable, 
but we assume that the network is connected and that flooding messages flnally reaches all 
the network nodes 0. 

A key point in the GKA protocol described above is the existence of group leader. Thus 
it is necessary to have a robust mechanism to elect such a leader in an ad hoc network. That 
is the first issue that we study. 

4.1 Election of a group leader 

A key requirement is that all members of a group agree on the same group leader. A simple 
solution is that the group leader periodically broadcasts messages. These messages then 
serve as a proof, for nodes that are within reach of the group leader, that a group leader 
exists and operates properly. We can simply use the INIT message of GKA protocol to 
demonstrate the existence and the correct functioning of the group leader. When the other 



^We mean that synchronous flooded messages will finally reach all the network nodes even if there are 
messages loosses 
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nodes in the network receive this INIT message each repHes with an IREPLY message 
including their contribution. Using these IREPLY messages, the group leader defines a 
group and sends to all members of the group an IGROUP message. The INIT message 
can be seen as an IGROUP message when the group is not yet defined. In the following 
we will only use the term IGROUP message. 

These IGROUP messages are sent periodically; depending on the dynamics of the 
group, the group leader will send a new IGROUP message or exactly the same message as 
before. If the network only comprises of the group leader, the latter will send periodically 
empty IGROUP messages. It will stop sending this message when a node joins its network 
by replying to its IGROUP message with an IREPLY message. The mechanism to elect 
a group leader simply follows from the property that, in a network with a group leader, 
periodic messages are broadcasted by the group leader and are, in principle, received by the 
group members. If a node does not receive a message for a fixed period T, known a priori 
by the network nodes, this node sets a random timer. At the expiration of this timer and 
if no IGROUP message has been received meanwhile, the node becomes the group leader. 
It then sends an empty IGROUP message. 

There may be a collision on IGROUP messages if two nodes or more have selected 
the same value for their random timer. In such a case, there may be IGROUP messages 
generated by two (or more) group leaders. To select a group leader, we can use additional 
rules. The first rule is that when a group leader A receives an IGROUP message from a 
group leader B which has a smaller ID than its own ID, the group leader A just stops to send 
its periodic messages. The group members that will receive periodic messages from more 
than one group leader will only consider the message issued by the group leader with the 
smallest index. Thus if an IGROUP message showing a larger ID than a previously received 
IGROUP message is received, then this message is simply discarded and no IREPLY 
message is issued. On the contrary if an IGROUP message showing a smaller ID is received 
then the node issues a IREPLY message. 

Another issue is how the GKA protocol takes into account the dynamism of an ad hoc 
network. For instance a node may leave the network without being able to send the group 
leader a message pointing out its departure from the network. This issue is handled in the 
next subsection 

4.2 Handling join and withdrawal of a node 

A node which joins the network will receive the periodic IGROUP message of the group 
leader. He will just have to send a JREPLY message, with its contribution, to join the 
group. The group leader will incorporate this new contribution in its next IGROUP mes- 
sage. Actually there is no need in the protocol to differentiate between JREPLY and 
IREPLY. Thus, for simplicity sake, we will only keep the IREPLY message. 

In an ad hoc network, the only conceivable way for the group leader to be sure that a 
node still belongs to a group is to receive a message from it. Thus to handle the dynamism 
of a group, the group leader will use the periodic reception of the IREPLY messages. The 
period with which an IREPLY message is sent by a member of the group should be the 
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same for all the nodes of the group. If the group leader is not receiving a IREPLY message 
for a given number of periods (greater than 1 to handle possible packet loss), the lack of 
reception of these messages should be handled in the same way as the reception of a DEL 
message. In such a case the group leader will change its own contribution in the IGROUP 
message and will re-send the IGROUP message. 

When a node deliberately wishes to withdraw from a group it can use the DEL message 
to announce this wish to the group leader. Upon the reception of such a message the 
group leader will change its own contribution in the IGROUP message and will re-send the 
IGROUP message. The use of the DEL message will speed up the taking into account of 
the node withdrawal. 

4.3 Handling merge or split of groups 

The merger of groups (two or more) leads group leaders to receive IGROUP messages from 
other group leaders. The scheme used in the group leader election can be used to resolve 
the conflict. When the conflict is resolved only one group leader is left in the group. If a 
group splits, a part of the group will remain without group leader. The technique used in 
the group leader election can be used in the subgroups without leader to elect a new leader. 

4.4 Renewing its contribution 

The group leader and group members will have to renew their contribution periodically. For 
the group leader, the change of its contribution or of some member of the group will lead 
to a change in the content of the IGROUP message. To simplify we can assume that the 
group leader and the group members change their contribution at the same rate. 

We have given all the principles of the protocol. We precise the details of the whole 
protocol in the next section. 

4.5 Implementation issues 

We will consider a given period T. To simplify, this period will be used both by the group 
leader or by the member of the group as a period to send their GKA messages. 

A node can be in one of the following two states : member state or group leader 
state. A node in a member state will enter the process to become a group leader if it has not 
received IGROUP message for a duration kT. A node which has not received any message 
from a group leader for a duration kT with fc > 2 will suppose that there is no group leader 
and starts the procedure to become a leader. Since a node may not have received a packet of 
the group leader because this packet has been lost, k must be selected so that the probability 
that fc — 1 successive transmissions of a GKA message are lost is small. Then, to become a 
group leader, the node selects a random integer v between 1 and a given number I (backoff 
window size) and initializes a timer at irtrtd, where trtd is a predefined duration computed 
to be at least the round trip delay of a message throughout the ad hoc network. With such 
a figure for trtd we can be sure that if two nodes draw different integers v and V' , the node 
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having selected the larger integer will receive the IGROUP message of the other node and 
then will stop its election process. The backoff window size / must be chosen with respect 
to the total number of nodes in the network so that the probability that two nodes choose 
the same integer is small. This back-off procedure is performed to avoid possibly multiple 
group leader candidates, for instance, when a group is set up or split into two subgroups. 



When the node in the state member sends its first IGROUP message, it is in the group 
leader state, see Figured In the group leader state, a node must collect IREPLY messages 
and form the related IGROUP message. When there is a change in the group (arrival or 
withdrawal) the group leader must change its contribution. Additionally, irrespective of the 
modification of the composition of the group, the group leader must change its contribution 
periodically, to maintain the security of the session key. 

When a group leader is elected, the latter may choose to wait additional periods before 
sending a IGROUP containing the contributions of the group members. Doing so, the 
group leader may avoid unnecessary changes to the session key due to the lack of receipt of 
all contributions in time. 

In the group leader state, a node will also look out for IGROUP messages from another 
group leader. If it receives such a message from another group leader holding a smaller node 
index, the node changes its state to the member state. In the member state, a node will 
have to send IREPLY messages periodically. Like the group leader, a group member must 
change its contribution periodically with a period P see figure [H We will assume that P is 
a large multiple of T. To simplify the procedure and to avoid unnecessary computations we 
can assume that the group leader does not instantly include a new contribution of a group 
member in the IGROUP message, instead it will wait for the change of its own contribution 



No IGROUP message 
for a duration A:r 




IGROUP message 
received from a leader 
with a smaller index 



Figure 2: Transition between the member and the leader state 
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Parameter 


Value 


Constraint 


P: key renew period 


20 min 




T: period of 
IGROUP messages 


5s 




k: number of messages 
losses before assuming 
a node leaves 


3 


large enough to be sure that 
the message is not simply 
lost 


I: backoff window 


20 


large enough to avoid colli- 
sion during the group leader 
election 


trtd- backoff slot for 
leader election 


100 ms 


more than a round 
trip delay 



Table 6: Protocol parameters 



to take into account all new contributions of nodes. This is possible since the contribution 
of the node member is included in the IGROUP message. 



Group 
leader 



IGROUP 


IGROUP 


IGROUP 


IGROUP 


IGROUP 
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new key 
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t t t t t t 



IREPLY IREPLY IREPLY IREPLY IREPLY IREPLY 



Figure 3: Sending IGROUP and IREPLY messages 



Both IGROUP and IREPLY messages must be sent periodically for each interval T. 
To reduce the probability of collision of these messages, we add a jitter to times when the 
GKA messages shall be sent by the group members and the group leader. 

In the table [6l we have given examples of figures for our GKA protocol. We can notice 
that I and trtd will heavily depend of the number of nodes in the network and of the topology 
of the network. 
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Group 


Size of contributions 


blindings / second=recoveries / second 


Modular Field 


1024 bits 


10 


Elliptic curve 


160 bits 


93 



Figure 4: Performance of elliptic curve cryptography, versus a classical group (modular 
integers)on a iPAQ, StrongARM-1110, using the openssl implementation, for a security 
level of 2®° . Blinding means computing g'"' , and recovering means computing from the 
blinded response g^'^" of the leader . 

5 Computational overhead 

Figure m describes the cost, on an average small device (COMPAQ iPAQ), of elHptic curve 
cryptography which is more efficient than classical cryptographic relying on biger groups. 
Basically, for a security level of 2®°, such a device can perform almost 100 operations per 
second. Thus the latency of elliptic curve exponentiation is 10 msec per device, except for 
the leader whose computational cost grows linearly with the size of the group. Thus there 
is concern for this particular node. Assuming that the leader devotes half its times towards 
cryptogaphic operations, managing a group of size 50 will impose a delay of 1 second before 
being able to send the blinded response. 

The above computational load on the group leader is in the case where the group leader 
receives all the blinded secrets at once, and has to give the blinded response also at once. 
In practice, the group leader will receive the blinded secret at different time slots. It is then 
possible to perform operations in batch: the group leader can generates its own secret in 
advance, and compute on the fly the blinded reponses {g^^Y" upon reception of each blinded 
secret g'^' . He can also stepwise compute the product (g^^Y" ■ ■ ■ {g^'^Y° ^ where m is the 
index of the last received contribution. When he has to broadcat the IGROUP message, all 
the computationaly intense cryptographical operations, necessary to generate the blinded 
responses, have already been performed. 

6 Conclusion 

We have discussed a group key agreement protocol for handling ad hoc group of small to 
moderate size. We have fully specified the implementation details needed for actual use of 
the protocol, relying on know network techniques such as self election, periodic broadcast, 
back-off techniques. The protocol is robust in the sense that connectivity losses does not 
impair its functioning. We have experienced that the computational cost of public key 
cryptography is kept reasonably low. If we consider constraints in ad hoc networks: no 
network structure, high dynamism, restricted bandwidth the presented protocol is among 
the few GKA protocols which is suitable for ad hoc networks. 
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